School CTF 2015 Writeups

School-CTF was a short 5 hour CTF. Nevertheless, they offered awesome challenges and it was fun. Internetwache made it to the 17th place.

The jury posted their sample solutions and most of them don’t differ to ours. So we’re just going to write about solutions which we approached differently.

Admin 200: Awesome web

After saving the private key admin, you could connect to one of the SSH ports:

 ssh -v -p 15026 -i /tmp/admin.key -F /dev/null admin@sibears.ru

A simple shell welcomed us:

1
2
3
4
admin:~$ ls
flag.txt
admin:~$ ?
cd  clear  echo  exit  help  history  ll  lpath  ls  lsudo

You can see the flag, but you only have a limited set of commands. I gave history a try and scrolled through the commands of other CTF participants (at least I didn’t use the majority of the commands). Luckly I discovered a strange looking string therein which turned out to be the correct flag: 4dm1n_1s_1mp0r74nt_m^^mk3y

We didn’t think that this was the intended solution, so we wanted to see if we could extract the flag ourself. We learned that there are more restrictions than just a limited set of commands:

1
2
3
4
admin:~$ ls /
*** forbidden path: /
admin:~$ echo $(< flag.txt)
*** forbidden syntax: echo $(< flag.txt)

After playing around for a while and almost giving up because of the forbidden syntax-error, we tried the following command:

1
2
admin:~$ echo "$(cat flag.txt)"
4dm1n_1s_1mp0r74nt_m^^mk3y

YAY - But we still haven’t figured out if that’s a legit solution or a bypass for the filters.

Crypto 100: Lazy cryptanalyst

We didn’t google for the website in the picture, but started to write a small python script to substitute the characters:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
text = "bsxz [....] qoiy."

newtext = ""

switch = {  'b':'t',
          's':'h',
          'x':'i',
          'z':'s',
          'u':'f',
          'm':'y',
          'o':'m',
          'i':'e',
          'q':'a',
          'g':'o',
          'v': 'l',
          'h':'u',
          'f': 'w',
          'y': 'n',
          'j':'k',
          'w': 'b',
          'e':'d',
          'l':'g'
          }
for char in text:
  if char in switch:
      char = switch[char]
  newtext += char
print(newtext)

After solving it this way, Denis hinted a website quipqiup.com which instantly found the correct substitutions.

Joy 100: Highly professional

The only difference to the given solution was, that we used Google’s reverse image search to find out that is has something to do with the hacker serie Mr. Robot. Googling further lead to a wiki which listed the names of three employees. One of them was the flag: Gideon_Goddard

Stegano 100: Pure color

The sample solution uses MS Paint to change the background color. Using GIMP we played around with the color curves of red, green & blue. Moving the blue color curve to the right-hand bottom corner revealed the yellow label with the flag: flag_is_this_is_a_simple_stego

Flags

Here’s a list with all services we solved:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
admin200: FLAG_G0D_DAMN_BR0_U_R_S0_C00L_DECRYPTOR
crypt100: a day without blood is like a day without sunshine
crypt200: remember_the_plaintext
joy100: Gideon_Goddard
web100: l375_$7ar7_w3b_h4ck5
steg100: true_steganographers_doesnt_need_any_tools
steg200: flag_is_this_is_a_simple_stego
admin200: 4dm1n_1s_1mp0r74nt_m^^mk3y
web200: n0t_0nly_1nj3ct10ns_4r3_d4ng3r0us
exploit100: thanks_god_we_got_not_only_binaries
ppc200: flag_1s_1t_w@s_t00_easy
joy200: flag_is_dont_let_apples_hit_your_brain (strings on level0)
ppc400: ~y@y_I_cod3d_!7_^^
web400: U_c4n_b3_v3ry_us3ful_0n_upc0m1ng_3l3ct10ns
admin300: Flag_is_{7Ru3_4dM1n_C4N_D0_4Ny7h1NG_Fr0M_C0MM4nD_L1N3}
exploit300: every_haxor_loves_EvAlS

The team of internetwache.org

Comments